Speakers

Offense Defense

Incident Response, Emerging Threat, SOC, Vulnerability, Security Development Life Cycle

Gilbert
Sison

Still Has a Lot To Learn: Bypassing Machine Learning AV Solutions

Technical Lead, Managed Detection and Response
Trend Micro

Gilbert has over ten years of experience in the software security industry, all of which are in Trend Micro. He has taken several major roles under malware security, covering malware analysis, forensics, product testing and research. He has also delved in malware security sensors and big data threat analysis. He also has participated in security conferences, including a talk during the 2017 Virus Bulletin Conference where he presented the paper “Still has a lot to learn: Bypassing Machine Learning Security Solutions”. Currently, Gilbert is a technical lead of the Managed Detection and Response team in Trend Micro.

Still Has A Lot To Learn: Bypassing Machine Learning AV Solutions

Recently, the security industry has adopted various machine learning solutions to proactively prevent malware from infecting a system. This has the potential to be a game changer in the fight against malware. However, at this early stage of machine learning in the AV industry, recent malware innovations are already showing how this next-gen AV solution can be bypassed. This paper aims to show what techniques are readily available for malware writers to use to have a chance at infecting a system even with machine learning based security in place. First, we will provide an overview of the two most common machine learning approaches that are being used by the AV industry today along with the pros and cons of using each one (static vs. dynamic). We will then present how these machine learning approaches are affected by already established malware techniques that have proven to be effective against previous AV solutions. Next, we will be discussing the latest malware innovations being used by malware authors to bypass these machine learning solutions. And lastly, we will be showing the possible trade-offs of actually using these malware innovations against the overall security solutions offered by the AV industry today.

John
Simpson

N-day Vulnerability Research: Denying Attackers Their Low-hanging Fruit

Vulnerability Researcher
Trend Micro

John is a vulnerability researcher with the team formerly known as TELUS Security Labs in Toronto, Canada. John has previously worked as a consultant with experience in SOC engineering, penetration testing, vulnerability assessments, and secure code auditing for a variety of industries including banking, insurance and retail.

N-day Vulnerability Research: Denying Attackers Their Low-hanging Fruit

When people think of the term “vulnerability research”, the focus tends to be on the high profile task of discovering new vulnerabilities, also known as 0-days. However, due to the low frequency with which attackers actually exploit 0-day vulnerabilities, properly defending a network requires a deep understanding of known vulnerabilities and how they function. This presentation will introduce the world of researching known vulnerabilities as experienced by the Trend Micro team formerly known as TELUS Security Labs, and provide insight into the end-to-end process used by the Vulnerability Research team. The presentation will include information such as why N-day vulnerability research is so important, how the team monitors for new vulnerabilities and performs triaging, the factors that play into how research candidates are chosen, and details on the research process and techniques through an illustrative example. In addition, the presentation will highlight some of the challenges that the researchers face in the course of their day to day work.

Mat
Powell

100 0-days in 30 Minutes

Vulnerability Researcher, Zero Day Initiative
Trend Micro

Mat Powell is a vulnerability researcher with Trend Micro's Zero Day Initiative (ZDI). He is responsible for performing root cause analysis on vulnerabilities submitted to the program. Prior to joining ZDI Mat worked with the Digital Vaccine Team where he was responsible for malware and vulnerability analysis and creating network-based signatures for the TippingPoint IPS. His technical background includes application development and intrusion analysis.

100 0-days in 30 Minutes

Hundreds of vulnerability reports are submitted to the Zero Day Initiative each year, but rarely does one generate a new path to over one hundred bugs. However, that exact scenario is how a recent bug report enabled me to find and ultimately disclose over 100 0-day vulnerabilities in Wecon LeviStudioU SCADA Human Machine Interface (HMI). This type of asymmetric research is also known as variant hunting and, when used properly, can greatly enhance your research. This talk covers basic approaches for variant hunting in software. Using case studies, I cover various techniques including source code analysis, binary reversing and fuzzing. Finding a security vulnerability in a product can be a great thing. Using that one bug to open a pathway to 100 bugs is even better.

Fyodor
Yarochkin

Looking Beyond the Hashes: Understanding Campaigns and Criminal Underground

Senior Threat Architect, Forward Looking Threat Research
Trend Micro

Fyodor is a threat researcher with FTR/TrendMicro Taiwan and holds a Ph.D. from EE, National Taiwan University. Fyodor is mainly focused on regional threat investigations, Russian and Chinese underground studies as well as automation of threat hunting process. Prior to TrendMicro, Fyodor professional experience includes several years as a threat analyst and over eight years as an information security analyst responding to network, security breaches and conducting remote network security assessments and network intrusion tests for the majority of regional banking, finance, semiconductor and telecommunication organizations. Fyodor is an active member of local security community and has spoken at a number of conferences regionally and globally.

Looking Beyond the Hashes: Understanding Campaigns and Criminal Underground

As an information security company, we often focus on collecting and understanding malicious software samples. However it takes more than a file sample to understand the attacker nature and motivation. This presentation uses several investigation case studies to demonstrate how external data sources and Trend Micro’s internal data sets could be used to hunt threats, collect and investigate artifacts related to certain incident, victim or a threat actor. The author will discuss how understanding of criminal underground dynamics is helpful in the investigative process and demonstrate how the structural analytical approach is used to collect, analyze and cross-reference artifacts trying to understand a bigger picture. Lastly, some automation tools will be demonstrated and released.

Raymond
Almanon

Security Operations Center in a Consumer Home Network

Senior Security Specialist
Trend Micro

Raymond has been in the cybersecurity industry for more than 12 years and has a vast experience with consumer threats — from rootkits, to ransomware, and now IoT threats. He uses his extensive knowledge to influence improvements on existing consumer security products and to create tools that benefit customers. He has attended local and international trainings and conferences on cybersecurity, IoT, AI, and machine learning. He is currently part of the team building the Trend Micro Consumer Security Operations Center, which will help address evolving consumer threats that come with the advent of the IoT Era.

Security Operations Center in a Consumer Home Network

Throughout the years, the Consumer malware landscape keeps changing and new detection techniques are being developed to cope with this ever-changing “Cyber Threat” landscape. From a simple trojan to a sneaky rootkit, we now deal with ransomware, scams and vulnerable home devices. With the increasing number of IoT devices, increase in adaption rate on new technologies and a total upgrade of our internet speed through 5G, the types of cyber threat are also changing quickly and at the same time, they are rapidly adapting to Consumer’s home environment. One effective technique that is being used in Enterprise to monitor and detect possible threats that attack your network is called – Security Operation Center or SOC. This allow security experts to monitor, detect and respond to possible attacks and mitigate or contain the damage. So, the big question now is can we use Security Operation Center on a Consumer Home Network environment? Can it protect Alexa, your smart TV or your IP camera from getting compromised? Can it address the ever-changing cyber threats that we encounter everyday while we are at home chilling and watching Netflix? You will soon find out!